@sun-asterisk/sunlint 1.3.4 → 1.3.6

package/rules/security/S024_xpath_xxe_protection/symbol-based-analyzer.js

@@ -0,0 +1,474 @@
+/**
+ * S024 Symbol-Based Analyzer - Protect against XPath Injection and XML External Entity (XXE)
+ * Uses TypeScript compiler API for semantic analysis
+ */
+
+const ts = require("typescript");
+
+class S024SymbolBasedAnalyzer {
+  constructor(semanticEngine = null) {
+    this.semanticEngine = semanticEngine;
+    this.ruleId = "S024";
+    this.category = "security";
+
+    // XPath-related method names that can be vulnerable
+    this.xpathMethods = [
+      "evaluate",
+      "select", 
+      "selectText",
+      "selectValue",
+      "selectNodes",
+      "selectSingleNode"
+    ];
+
+    // XML parsing methods that can have XXE vulnerabilities
+    this.xmlParsingMethods = [
+      "parseString",
+      "parseXml", 
+      "parseFromString",
+      "parse",
+      "parseXmlString",
+      "transform"
+    ];
+
+    // XML parser constructors that need XXE protection
+    this.xmlParserConstructors = [
+      "DOMParser",
+      "XSLTProcessor", 
+      "SAXParser"
+    ];
+
+    // User input sources that could lead to injection
+    this.userInputSources = [
+      "req",
+      "request", 
+      "params",
+      "query",
+      "body",
+      "headers",
+      "cookies"
+    ];
+
+    // Secure XPath/XML patterns
+    this.securePatterns = [
+      "parameterized",
+      "escaped", 
+      "sanitized",
+      "validate"
+    ];
+  }
+
+  /**
+   * Initialize analyzer with semantic engine
+   */
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (this.verbose) {
+      console.log(`🔍 [${this.ruleId}] Symbol: Semantic engine initialized`);
+    }
+  }
+
+  async analyze(filePath) {
+    if (this.verbose) {
+      console.log(
+        `🔍 [${this.ruleId}] Symbol: Starting analysis for ${filePath}`
+      );
+    }
+
+    if (!this.semanticEngine) {
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Symbol: No semantic engine available, skipping`
+        );
+      }
+      return [];
+    }
+
+    try {
+      const sourceFile = this.semanticEngine.getSourceFile(filePath);
+      if (!sourceFile) {
+        if (this.verbose) {
+          console.log(
+            `🔍 [${this.ruleId}] Symbol: No source file found, trying ts-morph fallback`
+          );
+        }
+        return await this.analyzeTsMorph(filePath);
+      }
+
+      if (this.verbose) {
+        console.log(`🔧 [${this.ruleId}] Source file found, analyzing...`);
+      }
+
+      return await this.analyzeSourceFile(sourceFile, filePath);
+    } catch (error) {
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Symbol: Error in analysis:`,
+          error.message
+        );
+      }
+      return [];
+    }
+  }
+
+  async analyzeTsMorph(filePath) {
+    try {
+      if (this.verbose) {
+        console.log(`🔍 [${this.ruleId}] Symbol: Starting ts-morph analysis`);
+      }
+
+      const { Project } = require("ts-morph");
+      const project = new Project();
+      const sourceFile = project.addSourceFileAtPath(filePath);
+
+      return await this.analyzeSourceFile(sourceFile, filePath);
+    } catch (error) {
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Symbol: ts-morph analysis failed:`,
+          error.message
+        );
+      }
+      return [];
+    }
+  }
+
+  async analyzeSourceFile(sourceFile, filePath) {
+    const violations = [];
+
+    try {
+      if (this.verbose) {
+        console.log(`🔍 [${this.ruleId}] Symbol: Starting symbol-based analysis`);
+      }
+
+      const callExpressions = sourceFile.getDescendantsOfKind
+        ? sourceFile.getDescendantsOfKind(
+            require("typescript").SyntaxKind.CallExpression
+          )
+        : [];
+
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Symbol: Found ${callExpressions.length} call expressions`
+        );
+      }
+
+      for (const callNode of callExpressions) {
+        try {
+          // Analyze XPath injection vulnerabilities
+          const xpathViolation = this.analyzeXPathCall(callNode, sourceFile);
+          if (xpathViolation) {
+            violations.push(xpathViolation);
+          }
+
+          // Analyze XXE vulnerabilities  
+          const xxeViolation = this.analyzeXXEVulnerability(callNode, sourceFile);
+          if (xxeViolation) {
+            violations.push(xxeViolation);
+          }
+
+        } catch (error) {
+          if (this.verbose) {
+            console.log(
+              `🔍 [${this.ruleId}] Symbol: Error analyzing call expression:`,
+              error.message
+            );
+          }
+        }
+      }
+
+      // Also check for new expressions (constructors)
+      const newExpressions = sourceFile.getDescendantsOfKind
+        ? sourceFile.getDescendantsOfKind(
+            require("typescript").SyntaxKind.NewExpression
+          )
+        : [];
+
+      for (const newNode of newExpressions) {
+        try {
+          const xxeViolation = this.analyzeXMLParserConstructor(newNode, sourceFile);
+          if (xxeViolation) {
+            violations.push(xxeViolation);
+          }
+        } catch (error) {
+          if (this.verbose) {
+            console.log(
+              `🔍 [${this.ruleId}] Symbol: Error analyzing new expression:`,
+              error.message
+            );
+          }
+        }
+      }
+
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Symbol: Analysis completed. Found ${violations.length} violations`
+        );
+      }
+
+      return violations;
+    } catch (error) {
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Symbol: Error in source file analysis:`,
+          error.message
+        );
+      }
+      return [];
+    }
+  }
+
+  analyzeXPathCall(callNode, sourceFile) {
+    try {
+      const expression = callNode.getExpression();
+      const methodName = this.getMethodName(expression);
+
+      if (!this.xpathMethods.includes(methodName)) {
+        return null;
+      }
+
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Symbol: XPath method call detected: ${methodName}`
+        );
+      }
+
+      // Check if user input is used in XPath arguments
+      const args = callNode.getArguments();
+      if (args.length === 0) {
+        return null;
+      }
+
+      const firstArg = args[0];
+      if (this.containsUserInput(firstArg)) {
+        return this.createViolation(
+          sourceFile,
+          callNode,
+          `XPath Injection vulnerability: User input used directly in ${methodName}() without proper sanitization`
+        );
+      }
+
+      // Check for string concatenation with user input
+      if (this.containsStringConcatenationWithUserInput(firstArg)) {
+        return this.createViolation(
+          sourceFile,
+          callNode,
+          `XPath Injection vulnerability: XPath query constructed using string concatenation with user input`
+        );
+      }
+
+      return null;
+    } catch (error) {
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Symbol: Error analyzing XPath call:`,
+          error.message
+        );
+      }
+      return null;
+    }
+  }
+
+  analyzeXXEVulnerability(callNode, sourceFile) {
+    try {
+      const expression = callNode.getExpression();
+      const methodName = this.getMethodName(expression);
+
+      if (!this.xmlParsingMethods.includes(methodName)) {
+        return null;
+      }
+
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Symbol: XML parsing method detected: ${methodName}`
+        );
+      }
+
+      // Check if XXE protection is implemented
+      const hasProtection = this.hasXXEProtectionInContext(callNode, sourceFile);
+      if (!hasProtection) {
+        return this.createViolation(
+          sourceFile,
+          callNode,
+          `XXE vulnerability: ${methodName}() used without disabling external entity processing`
+        );
+      }
+
+      return null;
+    } catch (error) {
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Symbol: Error analyzing XXE vulnerability:`,
+          error.message
+        );
+      }
+      return null;
+    }
+  }
+
+  analyzeXMLParserConstructor(newNode, sourceFile) {
+    try {
+      const expression = newNode.getExpression();
+      const constructorName = expression.getText();
+
+      const isXMLParser = this.xmlParserConstructors.some(parser =>
+        constructorName.includes(parser)
+      );
+
+      if (!isXMLParser) {
+        return null;
+      }
+
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Symbol: XML parser constructor detected: ${constructorName}`
+        );
+      }
+
+      // Check if XXE protection is configured
+      const hasProtection = this.hasXXEProtectionInContext(newNode, sourceFile);
+      if (!hasProtection) {
+        return this.createViolation(
+          sourceFile,
+          newNode,
+          `XXE vulnerability: ${constructorName} instantiated without XXE protection`
+        );
+      }
+
+      return null;
+    } catch (error) {
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Symbol: Error analyzing XML parser constructor:`,
+          error.message
+        );
+      }
+      return null;
+    }
+  }
+
+  containsUserInput(node) {
+    try {
+      const nodeText = node.getText();
+      return this.userInputSources.some(source => 
+        nodeText.includes(`${source}.`) || nodeText.includes(`${source}[`)
+      );
+    } catch (error) {
+      return false;
+    }
+  }
+
+  containsStringConcatenationWithUserInput(node) {
+    try {
+      const nodeText = node.getText();
+      
+      // Check for binary expressions with +
+      if (nodeText.includes('+')) {
+        return this.userInputSources.some(source =>
+          nodeText.includes(`${source}.`) || nodeText.includes(`${source}[`)
+        );
+      }
+
+      // Check for template literals with user input
+      if (nodeText.includes('`') && nodeText.includes('${')) {
+        return this.userInputSources.some(source =>
+          nodeText.includes(`\${${source}.`) || nodeText.includes(`\${${source}[`)
+        );
+      }
+
+      return false;
+    } catch (error) {
+      return false;
+    }
+  }
+
+  hasXXEProtectionInContext(node, sourceFile) {
+    try {
+      // Get the parent scope (function/method) to check for XXE protection
+      let parent = node.getParent();
+      while (parent && !this.isFunctionLike(parent)) {
+        parent = parent.getParent();
+      }
+
+      if (!parent) {
+        return false;
+      }
+
+      const functionText = parent.getText();
+      
+      // Check for XXE protection patterns
+      const protectionPatterns = [
+        /resolveExternalEntities\s*:\s*false/,
+        /setFeature.*disallow-doctype-decl.*true/,
+        /setFeature.*external-general-entities.*false/,
+        /setFeature.*external-parameter-entities.*false/,
+        /explicitChildren\s*:\s*false/,
+        /ignoreAttrs\s*:\s*true/,
+        /parseDoctype\s*:\s*false/
+      ];
+
+      return protectionPatterns.some(pattern => pattern.test(functionText));
+    } catch (error) {
+      return false;
+    }
+  }
+
+  isFunctionLike(node) {
+    try {
+      const SyntaxKind = require("typescript").SyntaxKind;
+      const kind = node.getKind();
+      
+      return kind === SyntaxKind.FunctionDeclaration ||
+             kind === SyntaxKind.FunctionExpression ||
+             kind === SyntaxKind.ArrowFunction ||
+             kind === SyntaxKind.MethodDeclaration;
+    } catch (error) {
+      return false;
+    }
+  }
+
+  getMethodName(expression) {
+    try {
+      const ts = require("typescript");
+
+      if (expression.getKind() === ts.SyntaxKind.PropertyAccessExpression) {
+        return expression.getNameNode().getText();
+      }
+
+      if (expression.getKind() === ts.SyntaxKind.Identifier) {
+        return expression.getText();
+      }
+
+      return "";
+    } catch (error) {
+      return "";
+    }
+  }
+
+  createViolation(sourceFile, node, message) {
+    try {
+      const start = node.getStart();
+      const lineAndChar = sourceFile.getLineAndColumnAtPos(start);
+
+      return {
+        rule: this.ruleId,
+        source: sourceFile.getFilePath(),
+        category: this.category,
+        line: lineAndChar.line,
+        column: lineAndChar.column,
+        message: message,
+        severity: "error",
+      };
+    } catch (error) {
+      if (this.verbose) {
+        console.log(
+          `🔍 [${this.ruleId}] Symbol: Error creating violation:`,
+          error.message
+        );
+      }
+      return null;
+    }
+  }
+}
+
+module.exports = S024SymbolBasedAnalyzer;

package/rules/security/S025_server_side_validation/README.md

@@ -0,0 +1,179 @@
+# S025 - Always validate client-side data on the server
+
+## Mô tả
+
+Rule S025 đảm bảo rằng tất cả dữ liệu từ client đều được validate trên server. Client-side validation không đủ để bảo mật vì có thể bị bypass bởi kẻ tấn công. Server-side validation là bắt buộc để đảm bảo tính toàn vẹn dữ liệu và bảo mật.
+
+## OWASP Mapping
+
+- **Category**: A03:2021 – Injection
+- **Subcategories**: 
+  - A04:2021 – Insecure Design
+  - A07:2021 – Identification and Authentication Failures
+
+## Các Pattern được phát hiện
+
+### 1. NestJS Violations
+
+#### ❌ Sử dụng @Body() với 'any' type
+```typescript
+@Post('/checkout')
+checkout(@Body() body: any) {
+  // Client có thể inject bất kỳ field nào như isAdmin, discount
+  return this.orderService.checkout(body);
+}
+```
+
+#### ❌ Trust sensitive fields từ client
+```typescript
+@Post('/orders')
+create(@Body() { userId, price, discount, isAdmin }: any) {
+  // userId, price, discount, isAdmin KHÔNG nên từ client
+  return this.orderService.create(userId, price, discount, isAdmin);
+}
+```
+
+#### ✅ Cách fix đúng
+```typescript
+// Cấu hình ValidationPipe global
+app.useGlobalPipes(new ValidationPipe({
+  whitelist: true,
+  forbidNonWhitelisted: true,
+  transform: true
+}));
+
+// Sử dụng DTO với validation
+export class CheckoutDto {
+  @IsUUID() productId: string;
+  @IsInt() @Min(1) @Max(100) quantity: number;
+  @IsOptional() @IsIn(['SPRING10','VIP20']) coupon?: string;
+}
+
+@Post('/checkout')
+@UseGuards(JwtAuthGuard)
+checkout(@Body() dto: CheckoutDto, @Req() req) {
+  const userId = req.user.sub; // Từ JWT, không phải client
+  const discount = this.pricingService.resolveCoupon(dto.coupon, userId);
+  return this.orderService.checkout({ userId, ...dto, discount });
+}
+```
+
+### 2. Express.js Violations
+
+#### ❌ Direct sử dụng req.body không có validation
+```typescript
+app.post('/checkout', (req, res) => {
+  const { userId, price, discount } = req.body;
+  // Không có server-side validation
+  const order = await orderService.create(userId, price, discount);
+});
+```
+
+#### ✅ Cách fix đúng
+```typescript
+app.post('/checkout', [
+  body('productId').isUUID(),
+  body('quantity').isInt({ min: 1, max: 100 }),
+  body('coupon').optional().isIn(['SPRING10', 'VIP20']),
+  validateRequest
+], async (req, res) => {
+  const userId = req.user.id; // Từ auth middleware
+  const { productId, quantity, coupon } = req.body; // Đã được validate
+  // ...
+});
+```
+
+### 3. SQL Injection
+
+#### ❌ String concatenation/template literals
+```typescript
+async findUser(userId: string) {
+  const query = `SELECT * FROM users WHERE id = ${userId}`;
+  return await this.connection.query(query);
+}
+```
+
+#### ✅ Parameterized queries
+```typescript
+async findUser(userId: string) {
+  const query = 'SELECT * FROM users WHERE id = ?';
+  return await this.connection.query(query, [userId]);
+}
+```
+
+### 4. File Upload
+
+#### ❌ Không có validation server-side
+```typescript
+@Post('/avatar')
+@UseInterceptors(FileInterceptor('file'))
+uploadAvatar(@UploadedFile() file) {
+  // Không validate type, size, content
+  return this.fileService.save(file);
+}
+```
+
+#### ✅ Validation đầy đủ
+```typescript
+@Post('/avatar')
+@UseInterceptors(FileInterceptor('file', {
+  limits: { fileSize: 5 * 1024 * 1024 },
+  fileFilter: (req, file, cb) => {
+    const allowedMimes = ['image/jpeg', 'image/png'];
+    if (!allowedMimes.includes(file.mimetype)) {
+      return cb(new BadRequestException('Invalid file type'), false);
+    }
+    cb(null, true);
+  }
+}))
+async uploadAvatar(@UploadedFile() file) {
+  // Additional server-side validation
+  const isValid = await this.fileService.validateImageContent(file.path);
+  if (!isValid) {
+    throw new BadRequestException('Invalid image file');
+  }
+  return this.fileService.processAvatar(file);
+}
+```
+
+## Sensitive Fields
+
+Rule phát hiện các field nhạy cảm không nên trust từ client:
+
+- `userId`, `user_id`, `id`
+- `role`, `roles`, `permissions` 
+- `price`, `amount`, `total`, `cost`
+- `isAdmin`, `is_admin`, `admin`
+- `discount`, `balance`, `credits`
+- `isActive`, `is_active`, `enabled`
+- `status`, `state`
+
+## Test Command
+
+```bash
+node cli.js --input=./examples/rule-test-fixtures/rules/S025_server_side_validation --rule=S025 --engine=heuristic
+```
+
+## Framework Support
+
+- ✅ **NestJS**: ValidationPipe, DTO validation, class-validator
+- ✅ **Express.js**: express-validator, joi, yup validation middleware  
+- ✅ **TypeORM**: Parameterized queries, QueryBuilder
+- ✅ **File Upload**: Multer validation, file type checking
+
+## Checklist
+
+- [ ] Sử dụng ValidationPipe global với `whitelist`, `forbidNonWhitelisted`, `transform`
+- [ ] Tất cả route có DTO + class-validator, không sử dụng `any`/`Record<string, any>`
+- [ ] Không nhận field nhạy cảm từ client (`userId`, `role`, `price`, `isAdmin`)
+- [ ] Tính toán giá/discount ở server từ dữ liệu chuẩn, không tin client
+- [ ] Query DB luôn tham số hóa; tham số động (sort, column) phải whitelist
+- [ ] Upload file: kiểm tra type/size server-side; không render trực tiếp SVG
+- [ ] Endpoint thanh toán có idempotency key/nonce/timestamp chống replay
+- [ ] Exception filter: log nội bộ chi tiết, trả message tối giản cho client
+
+## Tham khảo
+
+- [OWASP Input Validation](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs)
+- [NestJS Validation](https://docs.nestjs.com/techniques/validation)
+- [Express Validator](https://express-validator.github.io/docs/)